Link to home
Start Free TrialLog in
Avatar of Paul Walsh
Paul Walsh

asked on

Account Lockout - Find App/Process on account

Hi All,

I have an account that is constantly being locked within AD after a password change. On our secondary DC Iooking at the event logs it tells me the first DC is the computer that is causing the lockout. I have looked everywhere on this first DC for where this account is used, but cannot find it. On the first DC within about 30 seconds of unlocking this account I can see an event that states that the particular credentials have been explicitly used. Any idea how I can what app/process is using this account.

I have tried resetting the password back to what it used to be, however the account still gets locked out.

Thanks for your help.

Cheers,
Paul
SOLUTION
Avatar of Zaheer Iqbal
Zaheer Iqbal
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Paul Walsh
Paul Walsh

ASKER

Hi,

Thanks for this, I have followed the steps provided. On the DC in question with the account in question I can only see event fith failure code 0x12 and not the 0x18 stated in the guide?

Cheers,
Paul
Hi,

What is strange is that it states the secondary domain controller is locked. There is no log of this domain controller locking my account. What I can find on my first domain controller is an event ID 4648 that states that the administrator account tried to log onto the second domain controller using this accounts credentials.

Any help would be more than grateful.

Cheers,
Paul
Is a account used for a user / support user or is it a service account ?
Do you have any tasks running against that account or any services running as that account ?
Hi,

That's the strange thing, the account in question isn't a service account. I have checked under services and scheduled tasks and it isn't listed there either.
What I can see periodically on the first controller is an event id 4648, with the account in question. Looks like the administrator is trying to log on using the problem account. In the process Id I get 0x4?

Cheers,
Paul
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,

Ok finally cracked it. For some reason it wasn't logging that account lock out on the target controller. It did however log event 4625 which listed the first DC. I checked the logs on the corresponding DC and the time stamps matched the 4648 error, confirming the first DC as the culprit. Account wasn't assigned to any services or scheduled task. Came across this: https://www.morgantechspace.com/2013/07/how-to-clear-windows-cached-credentials.html

and low and behold the problem account had a cached credential. Removed the defunct entry, ensured everything was still running as expected, and hey presto, strange problem fixed.

Thanks for all your help, I will split the points.

Paul
Ah ok yes I remember this. Apologies maybe I miss-read your question I didnt state that you were logging in as the account and then after a while it was getting locked out.

Thanks for the points.